/// <summary> /// Closes the handle to the process, if it is open. /// </summary> public void Close() { if (this.ProcHandle != null && !this.ProcHandle.Equals(IntPtr.Zero)) { WinApi.CloseHandle(this.ProcHandle); this.ProcHandle = IntPtr.Zero; } }
/// <summary> /// Opens the process by id. Stores information about the target process. /// </summary> /// <param name="pid">The process identifier of the target process.</param> /// <returns>Returns true on success.</returns> public bool Open(uint pid) { if (!SysInteractor.IsInitialized) { SysInteractor.Init(); } WinApi.ProcessRights flags = WinApi.ProcessRights.QUERY_INFORMATION | WinApi.ProcessRights.VM_READ | WinApi.ProcessRights.VM_WRITE | WinApi.ProcessRights.VM_OPERATION; this.ProcHandle = WinApi.OpenProcess(flags, false, pid); if (this.ProcHandle != null) { try { this.Proc = Process.GetProcessById((int)pid); } catch (ArgumentException) { WinApi.CloseHandle(this.ProcHandle); return(false); } bool isWow64; if (!WinApi.IsWow64Process(this.ProcHandle, out isWow64)) { this.Status.Log( "Unable to determine bitness of process: " + this.Proc.ProcessName, Logger.Level.HIGH); } // 64-bit process detection. // Note: This does not take into account for PAE. No plans to support PAE currently exist. if (isWow64) { // For scanning purposes, Wow64 processes will be treated as as 32-bit processes. this.Is64Bit = false; this.d.TargetArchitecture = Disassembler.Architecture.x86_32; } else { // If it is not Wow64, then the process is natively running, so set it according to the OS // architecture. this.Is64Bit = SysInteractor.Is64Bit; this.d.TargetArchitecture = this.Is64Bit ? Disassembler.Architecture.x86_64 : Disassembler.Architecture.x86_32; } return(true); } else { this.Status.Log("Unable to open the target process.", Logger.Level.HIGH); return(false); } }
internal static bool HasExitedSafe(this Process p) { System.Runtime.InteropServices.ComTypes.FILETIME create, exit, kernel, user; IntPtr handle = WinApi.OpenProcess(WinApi.ProcessRights.QUERY_LIMITED_INFORMATION, false, (uint)p.Id); WinApi.GetProcessTimes(handle, out create, out exit, out kernel, out user); WinApi.CloseHandle(handle); return((exit.dwHighDateTime != 0) && (exit.dwLowDateTime != 0)); }
/// <summary> /// Gets the name of the file referenced by the supplied file handle. /// </summary> /// <param name="fileHandle">The handle to the file.</param> /// <returns>Returns the full path to the file.</returns> /// <remarks>Thanks to Rudi for providing this code. http://stackoverflow.com/a/3314313</remarks> public static string GetFileNameFromHandle(IntPtr fileHandle) { string fileName = string.Empty; IntPtr fileMap = IntPtr.Zero, fileSizeHi = IntPtr.Zero; uint fileSizeLo = 0; fileSizeLo = WinApi.GetFileSize(fileHandle, fileSizeHi); if (fileSizeLo == 0) { // Cannot map a 0 byte file. return("Empty file."); } fileMap = WinApi.CreateFileMapping(fileHandle, IntPtr.Zero, WinApi.FileMapProtection.PageReadonly, 0, 1, null); if (fileMap != IntPtr.Zero) { IntPtr memPtr = WinApi.MapViewOfFile(fileMap, WinApi.FileMapAccess.FileMapRead, 0, 0, 1); if (memPtr != IntPtr.Zero) { StringBuilder fn = new StringBuilder(250); WinApi.GetMappedFileName(System.Diagnostics.Process.GetCurrentProcess().Handle, memPtr, fn, 250); if (fn.Length > 0) { WinApi.UnmapViewOfFile(memPtr); WinApi.CloseHandle(fileHandle); return(fn.ToString()); } else { WinApi.UnmapViewOfFile(memPtr); WinApi.CloseHandle(fileHandle); return("Empty filename."); } } } return("Empty filemap handle."); }
/// <summary> /// Load a DLL in an external process. /// </summary> /// <param name="dllPath">The path to the DLL to be loaded.</param> /// <returns>Returns true if the DLL was successfully loaded in the target process.</returns> public bool InjectDll(string dllPath) { IntPtr injectHandle = IntPtr.Zero; IntPtr remoteString = IntPtr.Zero; IntPtr loadLibAddy = IntPtr.Zero; // If the PID has not been set, then not enough information is available for the injection. if (!this.IsOpen) { return(false); } // Get a higher level access handle than the one originally used to open the process. injectHandle = WinApi.OpenProcess( WinApi.ProcessRights.CREATE_THREAD | WinApi.ProcessRights.QUERY_INFORMATION | WinApi.ProcessRights.VM_OPERATION | WinApi.ProcessRights.VM_WRITE | WinApi.ProcessRights.VM_READ, false, (uint)this.PID); if (injectHandle == null || injectHandle.Equals(IntPtr.Zero)) { #if DEBUG Console.Error.WriteLine("OpenProcess() failed: " + Marshal.GetLastWin32Error()); #endif return(false); } // Get the address of the function that will load the DLL. loadLibAddy = WinApi.GetProcAddress(WinApi.GetModuleHandle("kernel32.dll"), "LoadLibraryA"); // Allocate a section of memory in the target process to in which to store store the DLL path. remoteString = WinApi.VirtualAllocEx( injectHandle, IntPtr.Zero, (uint)dllPath.Length, WinApi.MemoryState.MEM_RESERVE | WinApi.MemoryState.MEM_COMMIT, WinApi.MemoryProtect.PAGE_READWRITE); if (remoteString == null || remoteString.Equals(IntPtr.Zero)) { #if DEBUG Console.Error.WriteLine("VirtualAllocEx() failed: " + Marshal.GetLastWin32Error()); #endif WinApi.CloseHandle(injectHandle); return(false); } // Write the DLL name to the remote process' memory space. uint numBytesWritten = 0; bool wpm = WinApi.WriteProcessMemory( injectHandle, remoteString, this.GetBytes(dllPath), (uint)dllPath.Length, out numBytesWritten); if (!wpm) { #if DEBUG Console.Error.WriteLine("WriteProcessMemory() failed: " + Marshal.GetLastWin32Error()); #endif WinApi.CloseHandle(injectHandle); return(false); } // Load the DLL, by calling the LoadLibrary function in the remote process. uint threadId = 0; IntPtr result = WinApi.CreateRemoteThread( injectHandle, IntPtr.Zero, 0, loadLibAddy, remoteString, 0, out threadId); if (result == null || result.Equals(IntPtr.Zero) || threadId == 0) { #if DEBUG Console.Error.WriteLine("CreateRemoteThread() failed: " + Marshal.GetLastWin32Error()); #endif WinApi.CloseHandle(injectHandle); return(false); } // Clean up and exit. WinApi.CloseHandle(injectHandle); return(true); }